[Leaf-user] Q: How to open high ports for a DMZ?

Fri, 28 Dec 2001 19:27:49 -0800 

Hi Mailing List,

I would appreciate some help to get mail sending out of my routed DMZ
to work.

What currently happens in my setup is that a DMZ machine can contact
the mail server on the external internet via port 25.

But the mail server's reply to the DMZ machine on high ports
4436 and 4437 are blocked in the input chain.

To clarify I do NOT want to open port 25 to the outside.

I read the docs and network.conf and tried to fix this by setting
DMZ_HIGH_TCP_CONNECT to YES. This did not help.

Below is an extract from
ipchains -L --line-numbers -n
for the high port range, IP addresses replaced with symbolic values
from the script:

Chain input (policy DENY):
num  target     prot opt     source                destination
ports
34   ACCEPT     tcp  ------  0.0.0.0/0            EXTERN_IP
* ->   1024:65535


I think the following was done by DMZ_HIGH_TCP_CONNECT=YES
Chain forward (policy DENY):
num  target     prot opt     source                destination
ports
12   ACCEPT     tcp  ------  0.0.0.0/0            DMZ_NET
* ->   1024:65535

To be honest I don't understand this yet.

If the mail server on the internet sends a packet to a high
port on the DMZ machine (not the router address EXTERN_IP)
then what is the purpose of opening EXTERN_IP?

Should it not be DMZ_NET, the network of final recipient of the
packet?

I could understand that opening EXTERN_IP is required to allow packets
to reach services that run on the router itself e.g. ssh.

What part in network.conf or ipfilter.conf need to be configured to
fix my problem?


Here is my simple setup:

There are only 2 networks.

What makes things REALLY easy is that these small networks don't need
to be hidden or address-translated. They are both physically and IP
address-wise different networks with routable IP addresses in the
public internet IP range.

I think Charles Steinkuehler terms this "Routed DMZ"

Here is the map:

      ~~~~~~~~~~~~~~~~~~~~~~
      {    ISP Network     }
      {   a0.b0.c0.d/26    }
      ~~~~~~~~~~~~~~~~~~~~~~
                |
             Ethernet
                |
                |
      -----------------------
      |   eth0 EXTERN_IP    |
      |     LRP ROUTER      |
      |        eth1         |
      -----------------------
                |
             Ethernet
                |
                |
      ~~~~~~~~~~~~~~~~~~~~~~
      {     DMZ Network    }
      {  a1.b1.c1.d1/29    }
      ~~~~~~~~~~~~~~~~~~~~~~


No address translation occurs; all addresses are real world IPs.
The DMZ network is NOT a subnet of the ISP network.

Many thanks!

Bernard
[EMAIL PROTECTED]



_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to